diff options
author | Martin Polden <mpolden@mpolden.no> | 2018-10-25 09:08:19 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2018-10-25 09:08:19 +0200 |
commit | aa9a8b2a3f748f604f6ead02326ec80ed8aa6378 (patch) | |
tree | ae5f887cf6ac2dc016552170fa44fc76f9e1960f /node-repository | |
parent | d52b10e09dbd4c5b842e22aa6a543f0ce694c209 (diff) |
Support ACLs for controllers and hosts
Diffstat (limited to 'node-repository')
2 files changed, 50 insertions, 9 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java index b0e1632002b..a68a497858d 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java @@ -182,18 +182,18 @@ public class NodeRepository extends AbstractComponent { // For all cases below, trust: // - nodes in same application - // - config servers // - ssh node.allocation().ifPresent(allocation -> trustedNodes.addAll(candidates.owner(allocation.owner()).asList())); - trustedNodes.addAll(candidates.nodeType(NodeType.config).asList()); trustedPorts.add(22); switch (node.type()) { case tenant: // Tenant nodes in other states than ready, trust: + // - config servers // - proxy nodes // - parent (Docker) hosts of already trusted nodes. This is needed in a transition period, while // we migrate away from IPv4-only nodes + trustedNodes.addAll(candidates.nodeType(NodeType.config).asList()); trustedNodes.addAll(candidates.parentsOf(trustedNodes).asList()); // TODO: Remove when we no longer have IPv4-only nodes trustedNodes.addAll(candidates.nodeType(NodeType.proxy).asList()); if (node.state() == Node.State.ready) { @@ -206,26 +206,43 @@ public class NodeRepository extends AbstractComponent { break; case config: - // Config servers trust all nodes + // Config servers trust: + // - all nodes + // - port 4443 from the world trustedNodes.addAll(candidates.asList()); - - // And all connections on 4443 trustedPorts.add(4443); break; case proxy: - // Accept connections from the world on 443 (for dashboard app), 4080 (insecure tb removed), and 4443 + // Proxy nodes trust: + // - config servers + // - all connections from the world on 443 (for dashboard app), 4080 (insecure tb removed), and 4443 + trustedNodes.addAll(candidates.nodeType(NodeType.config).asList()); trustedPorts.add(443); trustedPorts.add(4080); trustedPorts.add(4443); break; case host: - // This is only needed for macvlan networks - for nated networks this is handled elsewhere. - // Docker bridge network + // Docker hosts trust: + // - config servers + // - Docker bridge network. This is only needed for macvlan networks - for nated networks this is + // handled elsewhere. + trustedNodes.addAll(candidates.nodeType(NodeType.config).asList()); trustedNetworks.add("172.17.0.0/16"); break; + case controller: + case controllerhost: + // Controllers and their hosts trust: + // - all controllers + // - all controllerhosts + // - port 4443 (HTTPS) from the world + trustedNodes.addAll(candidates.nodeType(NodeType.controller).asList()); + trustedNodes.addAll(candidates.nodeType(NodeType.controllerhost).asList()); + trustedPorts.add(4443); + break; + default: throw new IllegalArgumentException( String.format("Don't know how to create ACL for node [hostname=%s type=%s]", diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java index c5f33800283..4a9da07e11d 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java @@ -1,6 +1,7 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.provision.provisioning; +import com.google.common.collect.ImmutableSet; import com.yahoo.component.Version; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.Capacity; @@ -164,7 +165,7 @@ public class AclProvisioningTest { } @Test - public void trusted_nodes_for_child_nodes_of_docker_host() { + public void trusted_nodes_for_children_of_docker_host() { List<Node> configServers = tester.makeConfigServers(3, "default", Version.fromString("6.123.456")); // Populate repo @@ -189,6 +190,29 @@ public class AclProvisioningTest { } @Test + public void trusted_nodes_for_controllers_and_hosts() { + List<Node> controllers = tester.makeReadyNodes(3, "default", NodeType.controller); + List<Node> controllerHosts = tester.makeReadyNodes(3, "default", NodeType.controllerhost); + List<List<Node>> controllersAndHosts = Arrays.asList(controllers, controllerHosts); + + // Allocate + ApplicationId controllerApplication = tester.makeApplicationId(); + allocateNodes(Capacity.fromRequiredNodeType(NodeType.controller), controllerApplication); + + ApplicationId controllerHostApplication = tester.makeApplicationId(); + allocateNodes(Capacity.fromRequiredNodeType(NodeType.controllerhost), controllerHostApplication); + + // Controllers and hosts all trust each other + List<NodeAcl> controllerAcls = tester.nodeRepository().getNodeAcls(controllers.get(0), false); + assertAcls(controllersAndHosts, controllerAcls); + assertEquals(ImmutableSet.of(22, 4443), controllerAcls.get(0).trustedPorts()); + + List<NodeAcl> controllerHostAcls = tester.nodeRepository().getNodeAcls(controllerHosts.get(0), false); + assertAcls(controllersAndHosts, controllerHostAcls); + assertEquals(ImmutableSet.of(22, 4443), controllerHostAcls.get(0).trustedPorts()); + } + + @Test public void resolves_hostnames_from_connection_spec() { tester.makeConfigServers(3, "default", Version.fromString("6.123.456")); |